You can insert some fields into outgoing events apart from the context of feed records. You can name these fields in the outgoing events as you want. These fields are listed in the ActionableFields element of a feed description.
The ActionableFields element has no attribute. The ActionableFields element contains ActionableField elements, one for each actionable field. An ActionableField element has two attributes: name and output_name. The name attribute contains the name of the field as it is used in the feed. The output_name attribute contains the name of the field as it will be inserted into outgoing events. If the output_name attribute is omitted or contains an empty value, the field name in the outgoing event will be the same as the field name specified in the feed.
Example <Feed filename="IP_Reputation_Data_Feed.json"> <Field name="ip" matching_type="Exact" input_regexp_to_match="RE_IP" category="KL_IP_Reputation" /> <ActionableFields> <ActionableField name="threat_score" output_name="thr" /> <ActionableField name="category" output_name="Category" /> </ActionableFields> </Feed> |
In the formats of outgoing events, the actionable fields are referred to by the %ActionableFields% variable. If no actionable field is specified for a feed, the %ActionableFields% variable refers to an empty string. For fields that are not present in a feed record, empty values are implied.
If a feed record contains several equally named fields, and their name is mentioned in the actionable fields list, the outgoing event will contain all these values delimited by a semicolon in one field.
Example The configuration file contains the following element for a specific feed: <ActionableField name="files/MD5" output_name="fileHash" /> The feed contains the following record that is involved in the detection process: "files": [ { "MD5": "0123456789ABCDEF0123456789ABCDEF", }, { "MD5": "4123456789ABCDEF0123456789ABCDEF", }, { "MD5": "2123456789ABCDEF0123456789ABCDEF", } ] Feed Service generates the following field in the outgoing event: fileHash=0123456789ABCDEF0123456789ABCDEF;4123456789ABCDEF0123456789ABCDEF;2123456789ABCDEF0123456789ABCDEF |
The format in which name-value pairs of the actionable fields are inserted into the outgoing events is specified in the OutputSettings > ActionableFieldContextFormat element of the Feed Service configuration file.